03-30-2016 06:31 AM - edited 03-30-2016 06:58 AM
If you want to extent the builtin DNS Top client report with geolocation & map, here is a few tip and some code to quickly copy and paste
Top DNS Client per county:
index=ib_dns_summary report=si_dns_top_clients $members$ $dns_view_str$ | iplocation CLIENT| stats sum(COUNT) as CLIENT_QUERIES by Country | sort -Country limit=$topn$
Top DNS Client per city:
index=ib_dns_summary report=si_dns_top_clients $members$ $dns_view_str$ | iplocation CLIENT| stats sum(COUNT) as CLIENT_QUERIES by City | sort -City limit=$topn$
Top DNS Client GeoLocation:
index=ib_dns_summary report=si_dns_top_clients $members$ $dns_view_str$ | iplocation CLIENT | geostats sum(COUNT) by CLIENT globallimit=0 locallimit=10
Next step could be to reuse these queries on ADP attack reports to geo localize Attackers IPs.
04-14-2016 02:31 AM
Hi. Thanks for dashboard.
My servers located in Moscow Russia, and client basically from Russia, but i dot see country Russia in "Top 10 DNS Clients Country" and Moscow in "Top 10 DNS Clients City". In top is USA what is very strange.
In the same time at "Top DNS Client Geo Map" Russia and Moscow is biggest pie.
04-14-2016 09:21 AM - edited 04-14-2016 09:22 AM
Actually there is no CLIENT_QUERIES, what you may want is to remove the by CLIENT constraint:
index=ib_dns_summary report=si_dns_top_clients (orig_host="*") * | iplocation CLIENT | geostats sum(COUNT) globallimit=0 locallimit=10
doing so give a global visibility on queries distribution but not what are the top IP per location:
02-23-2017 06:09 AM
Anything in the works to be able to do this on a enterprise's intranet using the EA's contaned in the IPAM data to geolocate internally?
This would be great for both this kind of query heat map as well as Infoblox member status, plotted on a map like this pulling the location from the member's EA's. (CPU, memory, calculated % load from some of the other dashboads you have provided.... maybe a use either a custom script on the reporting member or just a "last data collected" from a member to get a basic up \ down connectivity status....)
03-07-2017 09:24 AM
I found some of the pieces of the very old bloxtools plug in that was started for putting Infoblox grid status onto a google map. From the file dates it looks like it was around 2009. The google maps API that it used has been depricated and the code is not really useful even as a starting point.
So just another nudge that this kind of "report candy" is nice to show off the reporting tool and can be useful for help desks and NOC's for large Intranets...